How to block attackers IP

by Subramanian 2012-09-13 11:15:38

1. High Load


Recently, server hits an abnormally high load, CPU usage hits average 15-20%.


#top

load average: 15.08, 18.30, 20.63





2. Who is Connecting?


Not sure if this a DOS attack, or just a single IP abuse the connection? Issue following command to list all the IP addresses connected to my server.


#netstat -tn 2>/dev/null | grep :80 | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr | head

215 122.163.226.243
189 114.198.236.100
156 120.63.179.245
38 141.0.9.20
37 49.248.0.2
37 153.100.131.12
31 223.62.169.73
30 65.248.100.253
29 203.112.82.128
29 182.19.66.187






Below 3 IPs are taking 150+ connections, which is really abnormal, what are they trying to do?


215 122.163.226.243
189 114.198.236.100
156 120.63.179.245






P.S Google above IPs, 2 are from India, 1 from Pakistan.

3. null route


I believed above 3 IPs are the root cause of the high load issue, let null route those IPs, so that all incoming connections from those 3 IPs will be dropped or ignored.


null route command


route add 122.163.226.243 gw 127.0.0.1 lo
route add 114.198.236.100 gw 127.0.0.1 lo
route add 120.63.179.245 gw 127.0.0.1 lo






Alternative Command

You can also use following command to null route the IPs, both are doing the same thing.


route add -host 122.163.226.243 reject
route add -host 114.198.236.100 reject
route add -host 120.63.179.245 reject








Uses netstat -nr to display all the routes, to make sure it is added into the route table.


# netstat -nr
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
114.198.236.100 127.0.0.1 255.255.255.255 UGH 0 0 0 lo
120.63.179.245 127.0.0.1 255.255.255.255 UGH 0 0 0 lo
122.163.226.243 127.0.0.1 255.255.255.255 UGH 0 0 0 lo






Done, wait few seconds, and check the server load again, it’s back to normal now.


#top

load average: 1.08, 5.30, 30.63






Check all connected IP again, those attacker’s IPs are gone:


#netstat -tn 2>/dev/null | grep :80 | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr | head

40 141.0.9.20
37 49.248.0.2
36 153.100.131.12
31 223.62.169.73
25 65.248.100.253
29 203.112.82.128
29 182.19.66.187
38 142.0.9.20
28 141.121.9.20
38 141.0.9.201






Done.

4. Delete null route


To delete existing null route IPs, uses route delete.


route delete 122.163.226.243
route delete 114.198.236.100
route delete 120.63.179.245

Tagged in:

691
like
0
dislike
0
mail
flag

You must LOGIN to add comments